Problem with UDP traffic leaving ASA after it arrives over a VPN tunnel
We have two ASA's running 8.0(3)6, with one set up as the EZVPN server and the other as the EZVPN client. The EZVPN server forwards the packets internally to a FWSM running an old version of firmware (2.3(2)) configured in our core switch. Between the EZVPN server and the FWSM there are a couple switches with trunks configured on them. There are no SVIs on any of the switches except for management.
All TCP traffic makes it round trip across the tunnel and to the hosts connected to the switch where the FWSM resides. However, only UCP/123 and 137 make it round trip. I've set up a packet capture on the EZVPN server, and I see all UDP packets arrive and appear to leave the firewall. However, I only see the two UDP packets actually arrive at the FWSM. The FWSM has an access list with "permit IP any any" and with static 1:1 NATs for the entire subnet. The servers are not running a firewall, and a "netstat -rn" has not extraneous routes. We get the same results for all hosts on the core switch over the VPN. We have no problems with any traffic between the various firewalled VLANs.
I'm at a loss. Does anyone have any thoughts? Thank you.
Re: Problem with UDP traffic leaving ASA after it arrives over a
Perhaps, there's a/few devices that's sitting in between your EZVPN Server and FWSM that's dropping this traffic e.g. IPS? Do you have a complete physicall diagram between between your EZVPN Server and FWSM? It would be nice to see it, so that I can assist your further.
Assuming there 2 Cisco Access switches between your EZVPN Server and FWSM, something like this;
As you've already mentioned, you can see the UDP packets leaving the INSIDE interface of the EZVPN Server heading towards the FWSM but FWSM sees very little. Lets place a PC with wireshark on Switch-A to verify if the UDP packets arrive in Switch-A. If yes, then do the same for Switch-B and so on, and so forth.
The bottom line here is to identify the product that's in between the EZVPN Server and FWSM, which is swallowing the UDP packets for dinner :-).
P/S: If you think my comments are helpful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
Problem with UDP traffic leaving ASA after it arrives over a VPN
Thanks for the reply. I had all the equipment in our lab, so I blew away the old configuration and redid it. I didn't keep the old configuration and do a comparison, but I didn't have any problems with the second round. Sorry for not closing down this thread.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...